Investigate and Remediate Threats

Threat detection is only the first step in effective security operations. Once suspicious activity is identified, your team must investigate the context, confirm the severity, and take appropriate action. Graylog provides built-in tools that streamline this process, allowing analysts to transition from detection to response with clarity and efficiency.

This section of the documentation introduces key features that help you collaborate on cases, collect supporting evidence, and define consistent response actions to improve your organization’s security posture.

Investigations

The following feature exclusively pertains to Graylog Security. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

Investigations provide a structured way to collect and organize evidence—such as dashboards, logs, saved searches, and events—into a single workspace. Analysts can quickly create investigations, associate events, prioritize tasks, and assign ownership to streamline collaboration and accelerate incident analysis.

Investigations also support full workflows like updating statuses, performing bulk actions, and generating AI-powered reports that summarize findings.

Graylog can automatically create a new investigation for each triggered alert or add alerts as evidence to an existing investigation. This integration streamlines incident response by organizing alerts into structured investigations, helping analysts efficiently manage and prioritize security events without manual effort.

Remediation

Once an investigation is underway or an event is confirmed as a security concern, the next step is remediation—taking defined actions to contain, mitigate, or resolve the threat. Graylog offers two complementary features that support consistent remediation workflows.

Event Procedures

The following feature exclusively pertains to Graylog Security. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

Event Procedures offer a structured, repeatable framework for responding to security events by guiding analysts through predefined, actionable steps—such as running searches, navigating to dashboards, or sending notifications—directly within the Graylog interface, much like an incident response playbook. They support dynamic context with event-based variables, can be reused across multiple rules and detectors, and include role-based access controls to ensure secure, consistent, and efficient remediation.

In Graylog 6.3, Event Procedures has been released as an early access feature for evaluation and feedback purposes, so its design and behavior may change significantly in future releases. To share feedback on your experience with Event Procedures, email feedback@graylog.com.

Remediation Steps

Remediation steps allow you to document and standardize necessary response actions if suspicious activity is discovered in your environment. These steps can be tailored to your organization and linked directly to investigations or security events. Integrating remediation into the investigation workflow ensures consistent, complete responses and supports audit and compliance efforts by making security actions transparent and repeatable.